Danabot: Analyzing a fallen empire

As introduced by the US Department of Justice – the FBI and US DoD’s Defense Criminal Investigative Service (DCIS) have managed to disrupt the infrastructure of the infamous infostealer, Danabot. ESET is likely one of the many cybersecurity firms to take part on this long-term endeavor, changing into concerned again in 2018. Our contribution included offering technical analyses of the malware and its backend infrastructure, in addition to figuring out Danabot’s C&C servers. The joint takedown effort additionally led to the identification of people accountable for Danabot growth, gross sales, administration, and extra. ESET took half within the effort alongside with Amazon, CrowdStrike, Flashpoint, Google, Intel471, PayPal, Proofpoint, Team Cymru, Zscaler, Germany’s Bundeskriminalamt, the Netherlands’ National Police, and the Australian Federal Police.

These legislation enforcement operations had been performed below Operation Endgame – an ongoing international initiative aimed toward figuring out, dismantling, and prosecuting cybercriminal networks. Coordinated by Europol and Eurojust, the operation efficiently took down important infrastructure used to deploy ransomware by means of malicious software program.

Since Danabot has largely been disrupted, we’ll use this chance to share our insights into the workings of this malware-as-a-service (MaaS) operation, overlaying the options used within the newest variations of the malware, the authors’ enterprise mannequin, and an outline of the toolset supplied to associates. Apart from exfiltrating delicate information, we have now noticed that Danabot can also be used to ship additional malware – together with ransomware – to an already compromised system.

Key factors of the blogpost:

• ESET Research has been monitoring Danabot’s exercise since 2018 as a part of a world effort that resulted in a significant disruption of the malware’s infrastructure.
• While primarily developed as an infostealer and banking trojan, Danabot additionally has been used to distribute extra malware, together with ransomware.
• Danabot’s authors promote their toolset by means of underground boards and provide numerous rental choices to potential associates.
• The typical toolset supplied by Danabot’s authors to their associates contains an administration panel utility, a backconnect software for real-time management of bots, and a proxy server utility that relays the communication between the bots and the precise C&C server.
• Affiliates can select from numerous choices to generate new Danabot builds, and it’s their duty to distribute these builds by means of their very own campaigns.

Background

Danabot, which belongs to a bunch of infostealer and/or banking malware households coded within the Delphi programming language, gained prominence in 2018 by being utilized in a spam marketing campaign focusing on Australian customers. Since then, Danabot has expanded to different markets by means of numerous campaigns, undergone a number of main updates of its internals and backend infrastructure, and skilled each peaks and downturns in recognition amongst cybercriminals.

Throughout our monitoring since 2018, ESET has tracked and analyzed a considerable variety of distinct samples and recognized greater than 1,000 distinctive C&C servers. During that interval, ESET analyzed numerous Danabot campaigns all around the world, with Poland traditionally being one of the vital focused nations, as seen in Figure 1.

In addition to typical cybercrime, Danabot has additionally been utilized in much less typical actions equivalent to using compromised machines for launching DDoS assaults. For instance, a DDoS assault in opposition to Ukraine’s Ministry of Defense was noticed by Zscaler quickly after the Russian invasion of Ukraine. A really comparable DDoS module to the one utilized in that assault was additionally utilized by a Danabot operator to focus on a Russian website devoted to Arduino growth. These actions had been in all probability motivated by the affiliate’s personal ambitions and political motivations.

Danabot group introduction

The authors of Danabot function as a single group, providing their software for lease to potential associates, who subsequently make use of it for their very own malicious functions by establishing and managing their very own botnets. The authors have even arrange a help web page on the Tor community with detailed details about the capabilities of their software, as depicted in Figure 2.

To purchase new clients, Danabot is regularly promoted in underground boards by the consumer JimmBee, who acts as one of many major builders and directors of the Danabot malware and its toolset. Another noteworthy individual from the Danabot group is a consumer recognized in underground boards as Onix, who coadministers the Danabot infrastructure and can also be accountable for gross sales operations.

Feature overview

Danabot’s authors have developed an enormous number of options to help clients with their malevolent aims. The most distinguished options supplied by Danabot embody:

• the power to steal numerous information from browsers, mail shoppers, FTP shoppers, and different common software program,
• keylogging and display recording,
• real-time distant management of the victims’ methods,
• a FileGrabber command, generally used for stealing cryptocurrency wallets,
• help for Zeus-like webinjects and type grabbing, and
• arbitrary payload add and execution.

Besides using its stealing capabilities, we have now noticed quite a lot of payloads being distributed by means of Danabot through the years, equivalent to:

• SystemBC,
• Rescoms,
• Ursnif,
• Smokeloader,
• Zloader,
• Lumma Stealer,
• RecordBreaker,
• Latrodectus, and
• NetSupportManager distant administration software.

Furthermore, we have now encountered situations of Danabot getting used to obtain ransomware onto already compromised methods. We can title LockBit, Buran, Crisis, and a NonRansomware variant being pushed on a number of events.

Danabot’s capacity to obtain and execute arbitrary payloads shouldn’t be the one characteristic used to distribute extra malware. Danabot was additionally noticed getting used as a software at hand off management of the botnet to a ransomware operator, as reported by Microsoft Threat Intelligence in late 2023.

Distribution strategies

Throughout its existence, in line with our monitoring, Danabot has been a software of alternative for a lot of cybercriminals and every of them has used completely different technique of distribution. Danabot’s builders even partnered with the authors of a number of malware cryptors and loaders, and supplied particular pricing for a distribution bundle to their clients, serving to them with the method. Matanbuchus is an instance of such a promoted loader.

Over the years, we have now seen all types of distribution strategies being utilized by Danabot associates, together with:

• quite a few variants of e-mail spam campaigns,
• different malware equivalent to Smokeloader, DarkGate, and Matanbuchus, and
• misuse of Google Ads.

Recently, out of all distribution mechanisms we noticed, the misuse of Google Ads to show seemingly related, however really malicious, web sites among the many sponsored hyperlinks in Google search outcomes stands out as one of the vital distinguished strategies to lure victims into downloading Danabot. The hottest ploy is packing the malware with authentic software program and providing such a bundle by means of bogus software program websites (Figure 3) or web sites falsely promising customers to assist them discover unclaimed funds (Figure 4).

The newest addition to those social engineering strategies: misleading web sites providing options for fabricated laptop points, whose solely objective is to lure the sufferer into execution of a malicious command secretly inserted into the consumer’s clipboard. An instance of such an internet site resulting in downloading of Danabot in Figure 5.

Infrastructure

Overview

Initially, Danabot’s authors relied on a single centralized server to handle all bots’ connections and all associates’ information, equivalent to command configurations and information collected from their victims. This centralized strategy actually had a damaging impression on that server’s efficiency and was extra vulnerable to attainable disruptions. This might be one of many the reason why we noticed a shift within the enterprise and infrastructure fashions in newer variations. In addition to renting locations on their very own infrastructure, Danabot’s authors now provide set up of a personal server, as marketed on their help website, to be operated by the affiliate (Figure 6).

The rental choices, as supplied by means of an underground discussion board in July 2023, are illustrated in Figure 7.

It is price mentioning that, based mostly on our monitoring, the rental of an account on the shared infrastructure managed by Danabot’s authors appears to be the most well-liked alternative for menace actors.

When associates buy a rental of one of many choices, they’re given instruments and credentials to hook up with the C&C server and handle their very own botnet by means of an administration panel. In the next sections, we cowl the completely different components of the everyday toolset.

C&C server utility

The standalone server utility comes within the type of a DLL file and acts because the mind of the botnet. It is put in on a Windows server and makes use of a MySQL database for information administration. Bots hook up with this server to transmit stolen information and obtain instructions issued by associates. Affiliates hook up with this server through the administration panel utility to handle their botnet. This C&C server utility is accessible for native set up just for associates paying for the upper tier private server possibility. Affiliates who select to function their botnets on Danabot’s infrastructure as a substitute are given connection particulars to the C&C server already arrange there, and don’t must host their very own C&C server.

Administration panel

The administration panel, displayed in Figure 8, is within the type of a GUI utility, and represents an important software from the botnet operator’s perspective. It permits the affiliate to hook up with the C&C server and carry out duties equivalent to:

• handle bots and retrieve statistics of the botnet,
• situation numerous instructions and superior configuration for bots,
• conveniently view and export information gathered from victims,
• handle the notification system and arrange alerts on occasions triggered by bots,
• generate new Danabot builds, and
• arrange a series of proxy servers for communication between the bots and the C&C server.

We present extra particulars and examples of probably the most attention-grabbing capabilities of the administration panel within the upcoming sections.

Backconnect software

Another essential software for administration is the standalone utility that permits botnet operators to remotely hook up with and management their on-line bots. Available actions for distant management, as seen within the software, are illustrated in Figure 9. Probably probably the most attention-grabbing options for cybercriminals are the power to see and management the sufferer’s laptop through a distant desktop connection and to carry out reconnaissance of the file system utilizing the built-in file supervisor.

Proxy server utility

Bots usually don’t hook up with the principle C&C server immediately, however quite use a series of proxies to relay the site visitors and conceal the situation of the actual backend C&C. To facilitate this technique, Danabot’s authors present a proxy server utility, obtainable for each Windows and Linux methods. Figure 10 exhibits the utilization message from the Linux model of this easy proxy server utility. Besides utilizing proxies, bots might be configured to speak with the server by means of the Tor community in case all proxy chains grow to be unavailable. An non-obligatory downloadable Tor module is then used for such communication.

Affiliates additionally regularly make the most of this proxy server utility as an middleman between their administration panel and the C&C server to additional improve their anonymity. When all the things is put collectively, the everyday infrastructure might look as proven in Figure 11.

Internals

Communication

Danabot employs its personal proprietary C&C communication protocol with its information encrypted utilizing AES-256. Generated AES session keys, distinctive for each message, are then additional encrypted utilizing RSA key pairs, securing the entire communication. It’s price mentioning that there have been a number of updates to the communication protocol and the packet construction over time.

The present packet information construction of the everyday command, earlier than it’s encrypted, seems as proven in Table 1 . We want to level out that many of the fields are solely used in the course of the first request within the communication loop to authenticate the bot, and are left unset within the subsequent instructions.

Table 1. Packet construction utilized in Danabot communication

The latest variations of Danabot additionally add, to additional disguise its communication, a random quantity of seemingly junk bytes to the top of the packet construction earlier than it’s encrypted. It’s price mentioning that Danabot authors don’t all the time comply with the very best coding practices and the addition of this random variety of bytes was performed by resizing of the unique reminiscence buffer allotted to carry the packet construction as a substitute of clearing or initializing this newly acquired area. This led to unintentionally together with surrounding reminiscence areas of the method into the information packet being despatched from the bot to the server and, extra importantly, vice versa. These appended reminiscence areas captured and decrypted from the server-to-bot communication typically contained attention-grabbing info from the server’s course of reminiscence and gave researchers useful perception into Danabot’s infrastructure and its customers. This bug was launched in 2022 and was fastened within the newest variations of Danabot in February 2025.

Further particulars concerning the communication and its encryption had been already coated by numerous researchers, and we gained’t dive into it extra on this blogpost.

Builds

Botnet operators have a number of choices for producing new Danabot builds to distribute to their victims. To the very best of our information, whereas the operator might configure the construct course of and desired output by means of the administration panel utility, the construct course of itself is carried out on the Danabot authors’ servers. After producing the chosen construct, the operator receives obtain hyperlinks for the builds and turns into accountable for their distribution in a marketing campaign.

Figure 12 exhibits an instance of a construct configuration window and obtainable choices, such because the C&C server checklist to be configured within the ultimate binary file, numerous obfuscation strategies, construct bitness, and so on.

Danabot at the moment gives 4 primary payload varieties, described in Table 2.

Table 2. Variants of obtainable builds

Payload sort	Description
Main.dll	Generates a sole major part within the type of a DLL to be distributed and loaded through rundll32.exe or regsvr32.exe.
Main.exe	Generates a loader within the type of an EXE which will include the abovementioned major part DLL or obtain it from one of many configured C&C servers.
Drop.exe	Generates a dropper with an embedded major part DLL to be dropped to disk.
Drop.msi	Generates an MSI bundle with an embedded major part DLL to be loaded.

Commands configuration

A botnet operator can situation a complicated configuration to the bots by means of the administration panel. Bots are then ordered to carry out numerous instructions in line with the directions acquired. Figure 13 exhibits an instance of such a command configuration.

Table 3 lists the obtainable instructions that may be issued. Each process has its personal particular choices to additional accommodate the operator’s wants.

Table 3. Available instructions

Command	Description
Video	Record a video of the chosen utility or web site.
KeyLogger	Capture keystrokes from the chosen utility.
PostFilter	Grab info from sure web sites’ kinds.
WebInject	Allow Zeus-like webinjects on sure loaded web sites to change their perform.
Redirect	Allow redirection of sure URLs.
Block	Block entry to configured URLs.
Screens	Take screenshots of a particular utility or web site at sure intervals.
Alerts	Allow notifications to be despatched to a particular Jabber account on a configurable occasion.
Uninstall	Uninstall the bot from the system.
UAC	Provide help for privilege escalation.
FileGrabber	Allow sure information to be uploaded to the C&C if discovered on the sufferer’s exhausting disk.
TorEnergetic	Enable loading of a Tor module and permit connection through the Tor community if all C&C servers are inaccessible.
Stealer	Enable/disable the stealer performance and set its replace interval.
TimeOut	Set interval for the bot to contact its C&C server.
Install	Configure the bot’s set up on the system and its persistence.
Exclusion	Set exclusions in Windows Defender or Windows Firewall for a particular course of.
ConfigSave	Save the bot’s configuration earlier than its termination.
HideProcess	Hide the bot’s course of.
CoreProtect	Allow the principle part to be injected into an extra course of.

Additional payloads

Danabot additionally supplies the potential to obtain and execute additional executable information. This characteristic permits the botnet operator to configure the set up of extra malware to the compromised system, as talked about earlier. Figure 14 exhibits obtainable choices for this characteristic within the administration panel utility.

Conclusion

Danabot is a large-scale MaaS operation distributing a big selection of instruments for the malware associates’ disposal. Our investigation of this infostealer, which began in 2018, resulted within the evaluation of Danabot’s toolset supplied on this blogpost. The efforts of the authorities and several other cybersecurity firms, ESET included, led to the disruption of the malware’s infrastructure. It stays to be seen whether or not Danabot can recuperate from the takedown. The blow will, nonetheless, certainly be felt, since legislation enforcement managed to unmask a number of people concerned within the malware’s operations.

For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com. 

ESET Research gives non-public APT intelligence stories and information feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page.

IoCs

Files

Network

MITRE ATT&CK strategies

This desk was constructed utilizing model 17 of the MITRE ATT&CK framework.